Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

create self-signed certificates for local domains #183

Closed
jkleinlercher opened this issue Jun 25, 2024 · 5 comments · Fixed by #228
Closed

create self-signed certificates for local domains #183

jkleinlercher opened this issue Jun 25, 2024 · 5 comments · Fixed by #228
Labels
kind/enhancement Enhancement, improvement, extension

Comments

@jkleinlercher
Copy link

What would you like to be added:

Gardener Cert-Manager Issuer should be able to create self-signed certificates.

Why is this needed:

We use the project Kargo and there in https://github.com/akuity/kargo/blob/main/charts/kargo/templates/webhooks-server/cert.yaml
a certificate for dnsName "kargo-webhooks-server.{{ .Release.Namespace }}.svc" is created, to enable a TLS connection between the Kubernetes-API server and this admissioncontroller webhook.

The Project normally creates its own issuer to create a selfSigned certificate: https://github.com/akuity/kargo/blob/main/charts/kargo/templates/common/cert-issuer.yaml

Look at .spec.selfSigned

So we do not want to install cert-manager but use the gardener cert-manager to create a certificate. However, I didn't find a way to create self-signed certificates the way the cert-manager does.

Maybe someone can explain how to achieve this with the current features of gardener cert-management?

@jkleinlercher jkleinlercher added the kind/enhancement Enhancement, improvement, extension label Jun 25, 2024
@RaphaelVogel
Copy link
Member

Hi @jkleinlercher
Yes this is possible, but probably not perfectly documented. See here.

The following steps need to be done:

  1. Configure your shoot to allow custom issuers in the shoot cluster. By default issuers are created in the control plane of your cluster.
kind: Shoot
...
spec:
  extensions:
  - type: shoot-cert-service
    providerConfig:
      apiVersion: service.cert.extensions.gardener.cloud/v1alpha1
      kind: CertConfig
      shootIssuers:
        enabled: true # if true, allows to specify issuers in the shoot cluster
...
  1. Create a self signed certificate and a private key
openssl req \
       -x509 -days 365 -newkey rsa:2048 -sha256 -nodes \
       -keyout key.pem -out cert.pem \
       -subj '/CN=host.example.com'
  1. Create a tls secret from self signed cert in your shoot cluster
kubectl create secret tls ca-secret --cert=cert.pem --key=key.pem
  1. Create an issuer in your shoot cluster referencing the tls secret
apiVersion: cert.gardener.cloud/v1alpha1
kind: Issuer
metadata:
  name: issuer-ca
  namespace: default
spec:
  ca:
    privateKeySecretRef:
      name: ca-secret
      namespace: default
  1. Create a cert resource and apply to your shoot cluster
apiVersion: cert.gardener.cloud/v1alpha1
kind: Certificate
metadata:
  name: cert-simple
  namespace: default
spec:
  commonName: cert1.mydomain.com
  dnsNames:
  - cert1-foo.mydomain.com
  - cert1-bar.mydomain.com
  # if issuer is not specified, the default issuer is used
  issuerRef:
    name: issuer-ca
    namespace: default  # must be specified when issuer runs in shoot!

@jkleinlercher
Copy link
Author

jkleinlercher commented Jun 27, 2024

Hey @RaphaelVogel thank you so much for this detailed explanation. This helps a lot! On the other hand, it also shows me that it is much more complicated than in cert-manager, where I can create a selfsigned-issuer just with this without creating any ca-secret.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}

I fully understand the spec extension in the shoot spec. However, creating a certificate and a secret brings me in the situation that I need to manage this secret somehow.

Is there a easier way like "spec.selfSigned" in cert-manager planned? https://cert-manager.io/docs/configuration/selfsigned/

@RaphaelVogel
Copy link
Member

@jkleinlercher, We are working on an solution which is comparable to the one provided by the cert-manager

@gardener-ci-robot
Copy link
Collaborator

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Mark this issue as rotten with /lifecycle rotten
  • Close this issue with /close

/lifecycle stale

@gardener-prow gardener-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 16, 2024
@MartinWeindel
Copy link
Member

/remove-lifecycle stale

@gardener-prow gardener-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Enhancement, improvement, extension
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants